Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 10 and March 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for March 10 to March 17

Due to JSON format limitations, the vulnerability only manifests itself as a remote denial of service in Ghost CMS, which crashes the Node.js process. However, the vulnerability could potentially lead to remote code execution in other products that use it.

Thursday, March 16, 2023 14:03

_Dave McDaniel of Cisco Talos discovered this vulnerability._

Cisco Talos recently discovered a vulnerability in node-sqlite3 that affects the Ghost content management system and could affect other software utilizing this library.

Ghost is a content management system with tools to build a website, publish content and send newsletters.

The node-sqlite3 library provides asynchronous, non-blocking SQLite3 bindings for Node.js. Ghost maintains the node-sqlite3 library and uses it in its CMS platform.

Talos identified a remote code execution vulnerability if an attacker sends the target a specially crafted JSON object. TALOS-2022-1645 (CVE-2022-43441) exists in the node-sqlite3 module, which provides asynchronous, non-blocking SQLite3 bindings for Node.js and could affect applications using the module.

Due to JSON format limitations, the vulnerability only manifests itself as a remote denial of service in Ghost CMS, which crashes the Node.js process. However, the vulnerability could potentially lead to remote code execution in other products that use it.

Cisco Talos worked with Ghost to ensure that this issue is resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update this affected product as soon as possible: Ghost Foundation node-sqlite3 5.1.1. Talos tested and confirmed this version of node-sqlite3 could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 60946. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Node-SQLite3 issue could lead to denial of service in Ghost CMS

The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine.

Thursday, March 16, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

We’re written a ton about Cisco Talos’ support of Ukraine and our friends and allies there. Now, we encourage you to watch and listen to the folks who have been working hands-on there.

The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine to help defend critical infrastructure, intelligence partners and government agencies in Ukraine. You can watch the full documentary above, or over on YouTube here.

**The one big thing**

We have new research out on a never-before-seen threat actor called YoroTrooper that’s carrying out a variety of espionage activity in Europe and Asia. This group has targeted several high-profile government organizations, including one in the European Union, stealing sensitive information such as login credentials, browser histories and cookies, system information and screenshots.

**Why do I care?**

While YoroTrooper uses malware associated with other threat actors, such as PoetRAT and LodaRAT, we believe this is a new cluster of activity from an entirely new threat actor. YoroTrooper is clearly going after major targets and has already been successful, so everyone should be on the lookout for these attacks, but especially users and organizations in Commonwealth of Independent States (CIS) countries.

**So now what?**

YoroTrooper creates malicious domains and spoofs commonly visited URLs that look like they belong to government agencies in the targeted countries to host its malware. So any time you go to open an email attachment or click on a link in an email, triple check to make sure it’s really where you want to go, or that you can verify the sender. Additionally, the blog outlines a range of protections in Cisco Secure products that can defend and detect this group’s actions.

**Top security headlines of the week**

The APLHV ransomware cartel claims to have **successfully stolen data belonging to Amazon’s Ring smart home company.** The ransomware gang’s dark website threatened to leak the data earlier this week, though it showed no evidence of a successful attack. Ring said on Tuesday that it had “no indications that Ring has experienced a ransomware event.” ALPHV, which is known for the BlackCat malware, usually encrypts targets’ data and threatens to leak the stolen information if the victim does not pay the requested ransom payment. Politico also reported this week that Ring will openly share recorded footage with local law enforcement, even if the camera’s user declines to do so, sparking questions about who owns security footage on private property and whether users are compelled to share those recordings. (Vice, TechCrunch, Politico)

Sensitive information from D.C. Health Link — the online health insurance marketplace for Washington, D.C. — is **reportedly for sale on the dark web,** potentially affecting White House staff and members of Congress. An internal memo last week warned of a "significant data breach” that potentially exposed the personal information of thousands of federal employees and warned potential victims that their data may have been compromised. As many as 21 members from the U.S. House and Senate could be affected, all of whom get their insurance through the program. In all, 56,415 customers were affected, according to the exchange. (CBS News, Roll Call)

Microsoft **released its monthly security update Tuesday,** disclosing 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months. Two of the vulnerabilities included in March’s security update have been exploited in the wild, according to Microsoft, including one critical issue. One of the zero-days included this month, CVE-2023-23397, is a privilege escalation vulnerability in Microsoft Outlook that could force a targeted device to connect to a remote URL and transmit the Windows account's Net-NTLMv2 hash to an adversary. To trigger this vulnerability, a user doesn’t even need to open the email or preview it, the vulnerability is triggered as soon as the email is retrieved by the targeted email server. (Cisco Talos, SecurityWeek)

**Can’t get enough Talos?**

*   Talos Takes Ep. #130: There’s not actually more spam during tax season, just different spam
*   Researcher Spotlight: How David Liebenberg went from never having opened Terminal to hunting international APTs
*   YoroTrooper cyberspies target CIS energy orgs, EU embassies
*   YoroTrooper Espionage Campaigns Target CIS, EU Countries
*   Updated Prometei botnet evades defenses, mines Monero

**Upcoming events where you can find Talos**

**WiCyS (March 16 - 18)**

Denver, CO

**RSA (April 24 - 27)**

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

Threat Source newsletter (March 16, 2023) — A deep dive into Talos' work in Ukraine

Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild.

Wednesday, March 15, 2023 19:03

Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild.

Microsoft released a patch for the privilege escalation vulnerability on Tuesday as part of its monthly security update. Along with the patch, Microsoft released a security advisory detailing the targeted, but limited attacks they saw leveraging this particular vulnerability.

Microsoft subsequently assessed that the activity was associated with Russian based actors and used in limited, targeted attacks against a small number of organizations. The Computer Emergency Response Team of Ukraine first reported the vulnerability to Microsoft.

CVE-2023-23397 does not affect non-Windows versions of Outlook such as apps for Android, iOS, Mac, as well as Outlook on the web and other Microsoft 365 services. However, the CVSS attack complexity is rated “Low”. An attacker can exploit this vulnerability simply by sending the victim a specially crafted email. The vulnerability is triggered when the Outlook client retrieves and processes the message. According to Microsoft, “This could lead to exploitation BEFORE the email is viewed in the Preview Pane.”

As of Wednesday evening, Kenna Security scored CVE-2023-23397 with a risk score of 74 out of 100 — higher than 99 percent of all the vulnerabilities it has scored. However, the risk score is expected to rise once proof-of-concept exploit code becomes available.

Users should implement the patch as soon as possible. Additionally, Talos has released Snort rules 61478 and 61479, and Snort 3 signature 300464 to detect the exploitation of this vulnerability.

**Vulnerability details**

CVE-2023-23397 affects all Microsoft Outlook products on the Windows operating system. It is a critical escalation of privilege vulnerability via NTLM credential theft. Attackers can create a specially crafted email message, calendar invite, or task containing the extended MAPI property “PidLidReminderFileParameter.”

The “PidLidReminderFileParameter” property specifies the “filename of the sound that a client should play when the reminder for that object becomes overdue.” Inside the PidLidReminderFileParameter property, the attacker specifies a Universal Naming Convention (UNC) path to an SMB share controlled by the attacker. This leads a vulnerable system to send the user’s Net-NTLMv2 hash to the attacker, which can then be used in NTLM Relay attacks against other systems.

**Mitigations**

The ideal course of action to address this vulnerability is to install the patch provided by Microsoft. If, for some reason, your organization cannot apply this particular patch, Microsoft also provided a few mitigation options including adding users to the Protected Users Security Group to prevent the use of NTLM as an authentication mechanism as well as blocking port TCP/445 outbound from your network to block the NTLM messages from leaving the network. For full details, see the advisory linked above.

Microsoft also released a script intended to help administrators audit their Exchange server for messaging items (mail, calendar and tasks) that have a PidLidReminderFileParameter property populated with a Universal Naming Convention (UNC) path.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Talos created the following Snort coverage for CVE-2023-23397  
SIDs:  
Snort 3: 300464  
Snort 2: 61478-61479

Threat Advisory: Microsoft Outlook privilege escalation vulnerability being exploited in the wild

Microsoft disclosed 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months.

Tuesday, March 14, 2023 16:03

Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months.

Two of the vulnerabilities included in March’s security update have been exploited in the wild, according to Microsoft, including one critical issue.

In all, eight of the issues disclosed this month are critical, while the remainder — outside of one — is “important.”

A moderate-severity vulnerability that’s already being exploited in the wild is CVE-2023-24880, a security feature bypass vulnerability in Windows SmartScreen, a cloud-based anti-phishing and anti-malware feature included in several Microsoft products. An attacker could exploit this vulnerability to craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. This, in theory, could allow the attacker to pass a malicious file through without it being detected.

The other zero-day included this month is CVE-2023-23397, a privilege escalation vulnerability in Microsoft Outlook that could force a targeted device to connect to a remote URL and transmit the Windows account's Net-NTLMv2 hash to an adversary.

To trigger this vulnerability, a user doesn’t even need to open the email or preview it, the vulnerability is triggered as soon as the email is retrieved by the targeted email server.

Three of the other critical vulnerabilities Microsoft is patching have a CVSS severity score of 9.8 out of 10: CVE-2023-21708, CVE-2023-23392 and CVE-2023-23415.

CVE-2023-21708 is a remote code execution vulnerability in Microsoft Remote Call Procedure (RCP). To exploit this vulnerability, an unauthenticated attacker could send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service.

The attacker would need to have access to TCP port 135 on the remote host, so Microsoft considers this vulnerability “less likely” to be exploited, especially from an outside network perimeter. But an attacker who already have a foothold on an internal network could use this vulnerability to compromise other machines in the same domain if the target doesn’t block this port.

Another remote code execution vulnerability exists on the HTTP protocol stack on Windows 11 and Windows Server 2022. An attacker could exploit CVE-2023-23392 by sending a specially crafted packet to a targeted server that utilizes the HTTP Protocol Stack to process packets. For a server to be vulnerable, it must already have HTTP/3 enabled and use buffered I/O. HTTP/3 support for services is a new feature of Windows Server 2022. Another escalation of privilege vulnerability in the same component (CVE-2023-23410) may allow an attacker to elevate privileges to SYSTEM.

CVE-2023-23415 is the only vulnerability among the three with 9.8 CVSS scores that is “more likely” to be exploited, according to Microsoft. An attacker could exploit this vulnerability in the Internet Control Message Protocol (ICMP) to gain the ability to execute remote code with SYSTEM-level privileges.

An attacker could send fragmented ICMP error messages to a remote target and cause a read past the fragment buffer end. This could cause a BSOD if the read crosses a page boundary or give the attacker remote code execution abilities.

The other critical vulnerabilities are:

*   CVE-2023-23404, a remote code execution vulnerability in Windows point-to-point tunneling protocol
*   CVE-2023-23411, a denial-of-service vulnerability in Windows Hyper-V
*   CVE-2023-23416, a remote code execution vulnerability in Windows cryptographic services

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61464 - 61467. The Snort 3 SIDs are 300460 and 300461.

Microsoft Patch Tuesday for March 2023 — Snort rules and prominent vulnerabilities

Cisco Talos has identified a new espionage oriented threat actor, which we are naming “YoroTrooper,” targeting a multitude of entities in Europe and Turkey.

Tuesday, March 14, 2023 07:03

_By_ _Asheer Malhotra_ _and_ _Vitor Ventura__._  

*   Cisco Talos has identified a new threat actor, which we are naming “YoroTrooper,” that has been running several successful espionage campaigns since at least June 2022.  
    
*   YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS), based on our analysis. We also observed YoroTrooper compromise accounts from at least two international organizations: a critical European Union (EU) health care agency and the World Intellectual Property Organization (WIPO). Successful compromises also included Embassies of European countries including Azerbaijan and Turkmenistan. We assess the actor also likely targets other organizations across Europe and Turkish (Türkiye) government agencies.  
    
*   Information stolen from successful compromises include credentials from multiple applications, browser histories & cookies, system information and screenshots.  
    
*   YoroTrooper’s main tools include Python-based, custom-built and open-source information stealers, such as the Stink stealer wrapped into executables via the Nuitka framework and PyInstaller. For remote access, YoroTrooper has also deployed commodity malware, such as AveMaria/Warzone RAT, LodaRAT and Meterpreter.  
    
*   The infection chain consists of malicious shortcut files (LNKs) and optional decoy documents wrapped in malicious archives delivered to targets. The actor appears intent on exfiltrating documents and other information, likely for use in future operations.

**Introducing YoroTrooper**

This new threat actor we are naming “YoroTrooper” has been targeting governments across Eastern Europe since at least June 2022, and Cisco Talos has found three different activity clusters with overlapping infrastructure that are all linked to the same threat actor. Cisco Talos does not have a full overview of this threat actor, as we were able to collect varying amounts of detail in each campaign. In some cases, for instance, we were able to fully profile a campaign, while in other cases, we only identified the infrastructure or compromised data.  

Our assessment is that the operators of this threat actor are Russian language speakers, but not necessarily living in Russia or Russian nationals since their victimology consists mostly of countries in the Commonwealth of Independent States (CIS). There are also snippets of Cyrillic in some of their implants, indicating that the actor is familiar with the language. Also, in some cases, the attackers are targeting Russian language endpoints (with Code Page 866), indicating a targeting of individuals speaking that specific language.  

Espionage is the main motivation for this threat actor, according to the tactics, techniques and procedures (TTPs) we have analyzed. To trick their victims, the threat actor either registers malicious domains and then generates subdomains or registers typo-squatted domains similar to legitimate domains from CIS entities to host malicious artifacts. The table below contains some of the domains created by this actor.

Malicious subdomain

Legitimate domain

Entity

mail\[.\]mfa\[.\]gov\[.\]kg\[.\]openingfile\[.\]net

mfa\[.\]gov\[.\]kg

Kyrgyzstan’s Ministry of Foreign Affairs

akipress\[.\]news

akipress\[.\]com

AKI Press News Agency (Kyrgyzstan-based)

maileecommission\[.\]inro\[.\]link

commission\[.\]europa\[.\]eu

European Commission’s email

sts\[.\]mfa\[.\]gov\[.\]tr\[.\]mypolicy\[.\]top

mfa\[.\]gov\[.\]tr

Turkey’s Ministry of Foreign Affairs

industry\[.\]tj\[.\]mypolicy\[.\]top

industry\[.\]tj

Tajikistan’s Ministry of Industry and New Technologies

mail\[.\]mfa\[.\]az-link\[.\]email

mail\[.\]mfa\[.\]az

Azerbaijan’s Ministry of Foreign Affairs

belaes\[.\]by\[.\]authentication\[.\]becloud\[.\]cc

belaes\[.\]by

Belarusian Nuclear Power Plant (Astravets)

belstat\[.\]gov\[.\]by\[.\]attachment-posts\[.\]cc

belstat\[.\]gov\[.\]by

National Statistical Committee of Belarus

minsk\[.\]gov\[.\]by\[.\]attachment-posts\[.\]cc

minsk\[.\]gov\[.\]by

Official Website of the Government of Minsk (Belarus)

The initial attack vectors are phishing emails with a file attached, which usually consists of an archive consisting of two files: a shortcut file and a decoy PDF file. The shortcut file is the initial trigger for the infection, while the PDF is the lure to make the infection look legitimate. The full details of the campaigns are detailed in the section below.  

Regarding YoroTrooper’s toolset, the actor uses several commodity remote access trojans (RAT) and credential stealers. For RATs, we have seen the usage of AveMaria/Warzone RAT, LodaRAT, and a custom-built implant based on Python. Credential stealers used by YoroTrooper are either custom scripts, which in some cases are based on the open-sourced Lazagne project or commodity stealers such as the Stink Stealer. All the Python-based malware used in the campaign is wrapped up into an executable using frameworks such as Nuitka or PyInstaller. The custom implants (stealers and RATs) use Telegram bots to exfiltrate information or receive commands from the operator.

**Successful infections and breaches by YoroTrooper  
**

Our analysis has shown that YoroTrooper successfully obtained access to credentials of at least one account from a critical EU health care agency’s internet-exposed system and another from the World Intellectual Property Organization (WIPO). However, it is unclear if the threat actors targeted these institutions specifically via such phishing domains or if the credentials were compromised because they belong to users from a specific list of targeted countries in Europe. We found malicious domains masquerading as those of legitimate European Union government agencies, such as “maile**ecommission**\[.\]inro\[.\]link”, which indicates that other European institutions were targeted.  

YoroTrooper also successfully compromised embassies belonging to Turkmenistan and Azerbaijan, where the operators attempted to exfiltrate documents of interest and deploy additional malware.  

Typically, YoroTrooper employs information stealers and RATs. An analysis of their stolen data reveals a treasure trove of information stolen from infected endpoints, such as credentials, histories and cookies for multiple browsers. Information such as credentials is highly valuable as they may be used either during lateral movement efforts or during subsequent YoroTrooper campaigns. Browsing histories can be used by a threat actor to specifically target victims with phishing lures based on their browsing habits.

**YoroTrooper affiliation assessment**

While attribution can be difficult, we assess that there are no relevant overlaps between YoroTrooper and Kasablanka, the group behind the development of LodaRat4Android. Our analysis on Kasablanka in 2021 was that the operators might be different from the developers, which we can now confirm.  

The overlaps with the PoetRAT team are stronger, especially on non-technical aspects of the campaigns but there are not enough for us to link them even with a low confidence level. Cisco Talos discovered the PoetRAT team in 2020 during a series of campaigns that successfully compromised Azerbaijan embassies and other government agencies.

While there are no concrete links between operators of PoetRAT and YoroTrooper, such as infrastructure overlaps, there are some similarities in their TTPs and victimology. Both actors use open-source tools to perform credential exfiltration and initial reconnaissance. In terms of bespoke tools, both threat actors have an affinity towards using Python-based implants, usually distributed, implemented or packed in a rather unusual way that is characteristic of the respective threat actors. The PoetRAT team would append the Python interpreter to a malicious document that would be extracted and used to execute the Python-based PoetRAT. YoroTropper used the Nuitka framework to pack their custom credential stealer in such a weird way that it ended up leaking the Python code rather than obfuscating it.  

Regarding victimology, there are some noteworthy overlaps between YoroTrooper and the PoetRAT team, who mainly target Azerbaijan, specifically their embassies, energy sector and government institutions. YoroTropper is also targeting Azerbaijan and other CIS countries, and their embassies, with a similar focus on the energy sector.

**Kasablanka is not the sole operator of LodaRAT**

While attributing this campaign to a specific threat actor, what stuck out the most was the use of LodaRAT and its repeated attribution to a singular threat actor called “Kasablanka” in open-source reporting. While Talos assesses that LodaRAT is built and sometimes operated by Kasablanka, there is evidence that indicates that LodaRAT is being used in multiple distinct campaigns. Therefore, despite the fact that LodaRAT isn’t publicly available, either open-sourced or for sale publicly — although one can be decompiled easily for use by any actor — our assessment is that there are multiple operators in the threat landscape employing LodaRAT. Therefore, YoroTrooper’s use of LodaRAT should _**not**_ be used as the sole indicator for attribution.  

Our research shows that the LodaRAT samples used by YoroTrooper deviate from previous versions of the malware employed by Kasablanka. In fact, the LodaRAT variants used by Yoro Trooper are based on versions we’ve seen being deployed in other crimeware campaigns alongside RedLine and VenomRAT, indicating LodaRAT’s availability to multiple threat actors.

This strengthens our assertion that although Kasablanka is the developer of LodaRAT and Loda4Android, it is not the sole operator of LodaRAT, an assessment we made as early as 2021.

**Campaign profiles**

This threat actor extensively targets CIS countries using a variety of malware deployed by a relatively simple infection chain. The operators have utilized a diverse suite of malware such as:  

*   Commodity RATs and stealers: Warzone, LodaRAT and Stink stealer.
*   Custom Python-based information stealers: Custom scripts for stealing Google Chrome browser credentials.
*   Custom Python-based RATs (with exfiltrators): First seen in June 2022, but gained popularity with the threat actor around February 2023.
*   Reverse shells: Python and Meterpreter-based reverse shells.  
    

The following is a timeline of the various geographies targeted by attacks in the campaign operated by YoroTrooper.

Time frame

Targeted Geography

Salient TTPs

February 2023

Uzbekistan

• Reuses Uzbekistani themed lures/decoys:

• Memo from energy company “UZBEKHYDROENERGO”

• Deploys a custom-built Python based reverse shell and file exfiltrator with variants built via PyInstaller and Nuitka.

• Uses HTA files.

• Also deploys Meterpreter reverse shells in certain cases.

Late January 2023

Uzbekistan

• Uses Uzbekistani themed lures/decoys:

• Memo from energy company “UZBEKHYDROENERGO”

• Deploys Python implant - custom Python based stealer.

• HTA downloads Decoy and dropper implant.

Early January 2023

Tajikistan

• Uses Tajikistani themed lures: Report from Government of Tajikistan.

• Deploys Python implant - custom Python based stealer.

• HTA downloads decoy documents and dropper implants.

December 2022

Russia

• Uses Russian themed lures.

• Uses VHDX files containing archives and LNKs that download and activate LodaRAT.

November 2022

Azerbaijan

• Uses Azerbaijani lures and malicious domains:

• mail\[.\]mfa\[.\]az\-link\[.\]email, true\[.\]az\-link\[.\]email

• Deploys Python implant - Stink stealer.

October 2022

Belarus

• IPs and domains masquerade as Belarusian domains: 

• mail\[.\]belaes\[.\]by\[.\]authentication\[.\]becloud\[.\]cc

• One variant of HTA downloads only AveMaria/Warzone RAT.

• Another variant of HTA downloads only Python based implants - Stink stealer.

• No lures.

September 2022

Russia

• VHDX based distribution introduced.

• No HTAs employed - LNKs download .NET based implants directly using curl.

• Malicious subdomains masquerading (typo-squatted) as Russian government entities:

• rnail\[.\]mintrans\[.\]gov\[.\]ru\[.\]inro\[.\]link ; rnail\[.\]iterrf\[.\]ru\[.\]inro\[.\]link ; account\[.\]nail\[.\]ru\[.\]inro\[.\]link ; rnail\[.\]rnid\[.\]ru\[.\]inro\[.\]link

August 2022

Belarus, Russia

• IPs and domains masquerade as Belarusian and Russian domains: 

• mail\[.\]hse\[.\]ru\[.\]attachment-posts\[.\]cc ; belstat\[.\]gov\[.\]by\[.\]attachment-posts\[.\]cc ; minsk\[.\]gov\[.\]by\[.\]attachment-posts\[.\]cc

• No HTAs employed - LNKs download Python based reverse shells directly using curl.

• Corrupt PDFs used as lures.

  

**Campaigns infection chain**

The latest infection chain from January 2023 is relatively straightforward but consists of multiple components such as archives, LNKs, HTAs and ultimately the final payloads:  

The infection chains begin with a malicious archive (RARs or ZIPs) delivered to targets with lure document titles referring to topics of interest to CIS nations, such as:

*   National\_Development\_Strategy.rar
*   Presidents\_Strategy\_2023.rar  
    

The campaign has also employed some generic file names as well such as “Nota.rar”, “вложение.rar”.  

We have also observed the occasional inclusion of decoy documents in the archive files, as well.  

The malicious LNK files are simple downloaders that employ mshta.exe to download and execute a remote HTA file on the infected endpoint.

LNK files downloading and executing remote HTA files.  

The malicious HTA files employed in this campaign have seen a steady evolution with the latest variant downloading the next-stage payload: a malicious EXE-based dropper and a decoy document. All these tasks are accomplished by running PowerShell-based commands.  

Malicious HTA.

**Custom-built final payloads**

YoroTrooper has been consistently introducing new malware into their infection chains in this campaign, including both custom-built and commodity malware. It is worth noting that while this campaign began with the distribution of commodity malware such as AveMaria and LodaRAT, it has evolved significantly to include Python-based malware. This highlights an increase in the efforts the threat actor is putting in, likely derived from successful breaches during the course of the campaign.

**Custom Python RAT**

The custom-built Python-based RAT is relatively simple. It uses Telegram as a medium of C2 communication and exfiltration and contains functionality to:  

*   Run arbitrary commands on the infected endpoint.
*   Upload files of interest to the attacker to a telegram channel via a bot.  
    

This bot was wrapped up into a .exe either using PyInstaller or Nuitka and then deployed in the field. There are some interesting observations here suggesting that the adversary may be speak Russian:

*   The presence of telegram messages in Russian such as: “Сохраняю в {save\_dir}” or “Файл загружен!\\nИмя”.
*   Code that decodes the output of a command run on the system into CP866 - Code page for Cyrillic.  
    

Snippet: Python based RAT used by YoroTrooper.  

**Customized stealer script**

Another Python-based payload distributed in January 2023 consists of a simple stealer script that will extract login data for the Chrome browser and exfiltrate it via a Telegram bot. This custom script has likely been stitched together from publicly available sources, such as Lazagne:  

**Commodity and miscellaneous malware**

YoroTrooper has relied heavily on the use of primarily two commodity malware families,  AveMaria/Warzone RAT and LodaRAT, especially in October and November 2022. AveMaria is a highly prolific malware family available for sale online, while LodaRAT is a RAT-based family whose authorship has been attributed to the Kasablanka threat actor.  

**Stink stealer analysis**

Yet another one of the final payloads found being deployed by YoroTrooper is an open-source credential stealer called “Stink,” which is wrapped into an executable file using the Nuitka Python compiler framework.  

Stink has several modules from Chromium-based browsers that collect credentials, cookies and bookmarks, among other information. It harvests Filezilla credentials and authentication cookies from Discord and Telegram. From the system, the stealer will collect a screenshot, external IP address, operating system, processor, graphic card and running processes:

  
All modules are executed in their own process and even each process will use its own threads to speed up the information collection process. The information is stored in a temporary directory before being compressed and exfiltrated.  

The sender module is responsible for data exfiltration via a Telegram bot. As of early March, the latest version of Stink Stealer 2.1.1 has an autostart configuration option that will create a link in the startup folder of the victim profile with the name “Windows Runner.”  

Autostart configuration options.  

**Miscellaneous malware**

Apart from commodity malware, we’ve also observed YoroTrooper deploy implants serving as reverse shells against their targets. For example, in September 2022, we saw a simple Python-based reverse shell. This one, however, was missing the Cyrillic language check (CP866).  

Another set of reverse shell implants that YoroTrooper occasionally uses are Meterpreter binaries that are then used to execute arbitrary commands on the infected endpoint. This tactic was seen being used by YoroTrooper as late as February 2023.  

A C-based custom keylogger also discovered by Talos probably deployed by one of the final stage payloads consists of the ability to record keystrokes and save them to a file on disk.  

Snippet: Keylogger functionality.

**Coverage**

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCs**

IOCs for this research can also be found at our Github repository here.

Talos uncovers espionage campaigns targeting CIS countries, Turkey, and European institutions including Embassies and a critical EU Health care Agency

When Dave Liebenberg started his first day at Talos, he had never even opened Terminal on a Mac before — let alone written a Snort rule or infiltrated a dark web forum.

Monday, March 13, 2023 08:03

When Dave Liebenberg started his first day at Talos, he had never even opened Terminal on a Mac before — let alone written a Snort rule or infiltrated a dark web forum.

He jokes that he was a trendsetter at Talos, becoming the first of many to break into security without having any prior cybersecurity experience. (For example, his teammate, Azim Khodjibaev, would be hired a few years after him after spending most of his career working on real-world military intelligence.)

Liebenberg originally went to college to study Chinese culture and language, and international relations. After spending several years in China teaching English and analyzing traditional Chinese security issues at think tanks back in the US, he decided to make the jump to information security when he was offered an opportunity to work on Talos’ threat intelligence and interdiction organization as a translator.

Seven years later, he is overseeing an entire team of threat intelligence analysts and hunters monitoring some of the largest threat actors in the world. And he’s since learned what a Terminal is and how to write Python code.

“At first, it was here’s a problem — go try to solve it and ask us if you have questions,” Liebenberg said. “It took a lot of self-study, a lot of mentorship and training, but I was able to pick up coding, and was able to develop my threat intelligence skills so that I could analyze different types of threats and conduct technical analysis.”

As Talos’ Head of Strategic Analysis, Liebenberg and his team have developed their own method of threat hunting and analysis and specialize in looking at the bigger picture of the threat landscape. For example, they compiled Talos’ first-ever Year in Review report in 2022, recapping major threat actor trends and malware families from the past year.

That intelligence eventually makes its way into white papers, Talos blog posts, newsletters, and bulletins for government and sector partners.

“We like to do long-term threat actor tracking, trend analysis and comprehensive threat analysis,” he said. “We’re taking a wholistic approach and asking, ‘How can we arrange, analyze and compare our data  so we can say something in general about the threat landscape?’”

His fluency in the Chinese language and culture still helps, though, as China-backed APTs continue to be some of the most active on the threat landscape. Liebenberg uses his background to provide translation  and add political or cultural context to usually complicated international matters that play into cyber attacks.

While the day-to-day activities of these actors haven’t changed much over the past few years, Liebenberg said it’s vastly different from a decade ago when U.S.-China relations were in a far more positive place than they are today.

“The way things are right now is incredibly tense,” he said. “But like most threat activity that’s originating from a country, it’s an incredibly complex ecosystem. You have cyber criminal actors, actors who are directly aligned with the state, and there are all sorts of intermingling. It’s difficult to identify the prototypical type of attack coming from China. In terms of APT activity, it’s a lot of espionage-focused, more theft-focused, maybe a little less brash than you might think.”

It wasn’t always his plan to study China, though. Liebenberg thought he’d attend college and take French as a language requirement, something he studied in high school. Looking to pass out of the class, Liebenberg now fondly remembers outright failing the entrance exam, and his collegiate advisor suggested he take Chinese, instead.

Liebenberg has built out a team of writers and researchers who also have unconventional cybersecurity backgrounds, many of them coming from outside the industry or bringing in several years of government experience. He himself has worked on U.S-China relations at the Council of Foreign Relations and the Center for Naval Analysis.

The team digs through telemetry, partner shares, honeypots, and dark web forum posts, always consulting with Talos’ diverse collection of subject matter experts and keeping abreast of current events. Their threat hunting also assists in actor tracking and blocking malicious infrastructure, payloads, and tools in Cisco Security’s product suite. They also work very closely with Talos’ incident response team and publish a quarterly report on IR trends. Oftentimes, this leads to the “traditional” Talos detection content like Snort rules, ClamAV signatures and blocks on IPs and URLs.

“We’re this niche group of people who have backgrounds in analysis who maybe weren’t strictly cyber analysis, but now we’re taking a multi-disciplinary approach,” he said. His first two hires as a manager, Kendall McKay and Caitlin Huey, were key to the team’s growth and broadening portfolio.

This can certainly become a grind — as much of the cybersecurity field can be — so Liebenberg makes sure to carve out time with his wife Kathleen and dog Garth to unwind. He also loves reading and watching movies, though despite his interest in real-world politics and international relations, Liebenberg jokes that almost never reads  non-fiction books.

Back at work, Liebenberg says he most looks forward to dealing with active, ongoing security incidents and trying to solve a problem in real time.

“When I’m able to help a customer who is dealing with an active, serious issue, and we do something that’ll have a huge impact — that real-world effect is what makes me most proud,” he said.

Researcher Spotlight: How David Liebenberg went from never having opened Terminal to hunting international APTs

Don't expect AI to suddenly start stealing jobs or making malware more powerful.

Thursday, March 9, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

There is no shortage of hyperbolic headlines about ChatGPT out there, everything from how it and other AI tools like it are here to replace all our jobs, make college essays a thing of the past and change the face of cybersecurity as we know it.

It’s the talk of SEO managers everywhere who can’t wait to find a way to work “ChatGPT” into a headline. And in the security community, everyone is concerned that AI models will help attackers get smarter, faster or more dangerous.

The biggest issue I’m seeing with that is these tools aren’t that smart.

Other writers have done a far more eloquent and interesting job than I can in a few dozen words here about how bad these models are at writing creatively or interpreting human emotion, but I wanted to put my own spin on things with my incredibly niche interests and use case for ChatGPT.

First, I asked it to help me write this newsletter. While it politely declined to do the whole thing for me because it can’t produce something on Talos’ behalf, it did start to compile a list of “the top stories we’re following this week.”

These headlines included an update on the Cring malware that seems to be referencing a campaign from November 2021, a 16-month-old CVE from Microsoft and a story about money laundering in “Fortnite” that broke in January 2019.

Then I decided to ask it about wrestling, mainly because I was fresh off watching AEW: Revolution this weekend, about who will eventually beat Maxwell Jacob Friedman for the company’s title. The information it provided was shockingly lackluster considering a quick Google provided more accurate details.

One of the examples it floated was that Bryan Danielson could eventually dethrone MJF, and that “if” they two were to face, it’d be a “must see” match. Problem is, the two did literally face off Sunday night and Danielson lost. Another option, CM Punk, would create a “huge moment” for the company if he won the AEW titles, something he’s already done twice (he also may never appear on TV again, but that’s a long story for not this newsletter).

These are two incredibly specific examples, but I felt like it was cathartic for me to see this in action so I didn’t have to lose any sleep over thinking ChatGPT or another AI was going to take my job from me next week, or my wrestling fandom for that matter.

**The one big thing**

U.S. President Joe Biden’s administration released its new National Cybersecurity Strategy on March 2, outlining steps the federal government plans to take to combat cyber criminals, defend critical infrastructure and enforce security regulations in oft-targeted industries. The administration said it will pursue laws to hold software companies liable if they sell technology that lacks proper cybersecurity protections, and use "national powers” to disrupt state-sponsored actors.

**Why do I care?**

This is the first new cybersecurity policy from the U.S. government in five years, outlining how the next few years of cybersecurity policy may look and what other goals would look like in a hypothetical second term for Biden. If the desired laws eventually pass and are enforced, they would represent a major shift in the way we view digital service providers and reframes how government and private entities should look at cybersecurity.

**So now what?**

The strategy doesn’t mean much for the average user right now, but it does mean there will be heavy debates in the near future about regulating the software-as-a-service industry and the monetary investment needed to address many of the issues the Biden administration outlined.

**Top security headlines of the week**

Meta, Google and other social media sites are **sharing user data and chat logs to prosecute individuals in states where abortion is illegal.** Since the Supreme Court overturned U.S. national abortion law last year, there have been several cases where prosecutors have relied on data collected by online pharmacies, social media posts, and user data requests to charge women who were seeking an abortion. Online pharmacies that sell abortion medication share sensitive information with Google and other third-party sites, including users' web addresses, relative location and search data, which the third parties may eventually be asked to turn over to law enforcement. The large companies who manage this data rarely turn down law enforcement requests for data. (Insider, Mashable)

After the one-year anniversary of Russia’s invasion of Ukraine, experts are looking at how **this has become one of the world’s first hybrid wars**, including Russia’s many cyber weapons its deployed against Ukraine over the past year. Other countries who feel they may be vulnerable to large-scale cyber attacks from nation-states (such as Taiwan against China) can learn quite a bit from how Ukraine has responded so far to Russian attacks. A new deep-dive report also outlines how crucial a cyber attack against the Viasat satellite network helped Russia prepare for its ground invasion just a few days prior. (NPR, Bloomberg)

Password management company **LastPass said attackers accessed a decrypted vault available to only a handful of company developers by hacking an employee’s home computer** in August. The new details add on to a data breach the company first disclosed several months ago. LastPass said an unknown threat actor stole valid login credentials from a senior DevOps engineer and accessed the contents of a LastPass data vault. That vault contained access to a shared cloud storage environment that included encryption keys for customers’ vault backups stored on Amazon S3 buckets. The attackers reportedly exploited a flaw in Plex, a media-sharing software, to access the user’s home device in the first place. Plex disclosed its own data breach in late August. (Ars Technica, Wired)

**Can’t get enough Talos?**

*   Threat Roundup for Feb. 24 - March 3

*   Talos Takes Ep. #129: The benefits of taking an active approach to threat defense
*   The role of cyber weapons in Russia's war on Ukraine

**Upcoming events where you can find Talos**

**WiCyS** **(March 16 - 18)**

Denver, CO

**RSA** **(April 24 - 27)**

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Threat Source newsletter (March 9, 2023) — Stop freaking out about ChatGPT

Prometei botnet continued its activity since Cisco Talos first reported about it in 2020.  Since November 2022, we have observed Prometei improving the infrastructure components and capabilities.

Prometei botnet improves modules and exhibits new capabilities in recent updates

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 24 and March 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key